The bid is your IP. We treat it that way.
Your past proposals, project portfolio, team CVs, and unsubmitted drafts are competitive intelligence. Our security posture exists because losing your data — even to one other tenant of our app — would end the company.
Security architecture
Data residency
Application data in Fly Postgres (Sydney); uploaded files on an encrypted Fly persistent volume (Sydney); encrypted offsite backups in Tigris object storage (Sydney, ap-southeast-2). Other regions via custom deployment.
Encryption everywhere
TLS 1.3 for every request. Encryption at rest on the Fly Postgres database and the encrypted file volume; offsite backups encrypted at rest in Tigris. MultiFernet key rotation on tenant secrets — keys rotate without re-encrypting historical data.
Authentication
Email + password with bcrypt + per-request rate limiting. SSO/SAML (Okta, Azure AD, Google Workspace) on Enterprise. Optional API keys with per-key scoping. JWT sessions with rotation + httpOnly cookies.
Tenant isolation
Every database query filters by organization_id at the query layer (not just the API). Cross-tenant access mathematically impossible — verified by a dedicated test suite that runs every commit.
Audit logging
Every proposal create, update, export, and delete logged with user + org + timestamp + IP. Append-only audit table. Enterprise tier includes export to your SIEM via webhook.
Backups + retention
Daily encrypted database backups: an offsite logical dump to Tigris object storage (14-day retention) plus daily Fly volume snapshots (5-day retention). Customer-initiated data export available on request.
Your content is never trained on.
The biggest enterprise security question about AI products is the right one to ask. Here's exactly how it works.
No model training on your content
Anthropic and Google process per-call only on their API tiers. Your proposals never enter any training corpus. We surface a fabrication scanner on every AI output so you see what the model returned before you accept it.
Per-org AI budget caps
Hard $ ceiling on monthly AI spend. Throttling kicks in at 80% (degraded), 95% (essential features only — executive summary, compliance check), and 100% (paused until next month or upgrade).
Prompt + completion logging
Per-call AIUsageLog with feature name, tokens, cost, latency, status. Available to org admins under Settings → AI Usage. Used for budget enforcement and your own audit needs.
Who else processes your data
Every external service in the data path. We add to this list when we add a subprocessor; existing customers get 30 days notice before any change takes effect.
| Provider | Purpose | Region |
|---|---|---|
| Anthropic | AI inference (Claude) — drafting, parsing, rewrites | US (no training on customer content) |
| Google AI | AI inference (Gemini) — fallback + embeddings | US (no training on customer content) |
| Fly.io | App hosting + Postgres database + encrypted file storage | Sydney (ap-southeast-2) |
| Tigris (Fly) | Offsite encrypted database backups | Sydney (ap-southeast-2) |
| Stripe | Payment processing (Enterprise contracts) | Global |
| SMTP email relay | Transactional email (welcome, password reset) | — |
Where we are
- ✓ NZ Privacy Act 2020 — Privacy Officer reachable at privacy@tenderwright.com; 10-business-day response on access/correction/deletion requests
- ✓ GDPR — DPA available on request for EU customers; subprocessor list above is the §28 disclosure
- ✓ Australian Privacy Principles (APPs) — Sydney data residency satisfies APP 8 cross-border restrictions for ANZ tenants
- ○ SOC 2 Type II — controls in place; formal audit scheduled FY26 (target Q3)
- ○ ISO 27001 — alignment in progress; targeting certification post-SOC 2
✓ in place · ○ in progress
Found something?
Coordinated disclosure is welcome and encouraged. Email security@tenderwright.com with reproduction steps. We acknowledge within 48 hours and target a fix within 30 days for high-severity issues.
Hall of fame for responsible reporters; we do not pursue good- faith research. Out of scope: rate-limit fuzzing, social engineering, third-party services we don't control.
Report a vulnerabilityNeed a DPA, audit pack, or custom contract?
Enterprise teams: book a security review. We'll walk through the SOC 2 readiness pack, sign your DPA, and discuss custom deployment options.